tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Werner Schalk" <werner_sch...@gmx.de>
Subject Re: Problems with SSL-enabled Tomcat 5.5
Date Thu, 30 Aug 2007 15:13:11 GMT
Hello Filip,

thanks a lot for all your support. No, that's something I already tried. 
When importing the Verisign root cert in my cacerts
file and then importing the signed cert in my keystore, he seems to be able 
to build a certificate chain because I am no
longet being asked whether I would like to trust the certificate. However 
when using that keystore then in Tomcat
(which only contains my signed cert) I am getting the second error ("No 
available certificate or key
>> corresponds to the SSL cipher suites which are enabled.").

Any more ideas?

Bye,
Seb

----- Original Message ----- 
From: "Filip Hanik - Dev Lists" <devlists@hanik.com>
To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Thursday, August 30, 2007 5:05 PM
Subject: Re: Problems with SSL-enabled Tomcat 5.5


> looks like the keyAlias="root" is not taking into effect, as the container 
> complains for not finding one named "tomcat"
>
> could be that it just looks for tomcat alias to be existent.
> this is what I would try next, import the same certificate using the 
> "tomcat" alias, leave the "root" alias in there.
>
> Filip
>
> Werner Schalk wrote:
>> Hello,
>>
>> setting keyAlias="root" did not change anything. Then I downloaded the 
>> latest version of Tomcat, added the Verisign cert to my cacerts file
>> and imported my Verisign-signed SSL certificate into a new keystore. 
>> Unfortunately that does not change my situation: Either Tomcat is unable 
>> to find
>> my alias in the keystore file (if I specify a keyAlias) or there appears 
>> to be a problem with the SSL ciphers or certificate itself (if I don't 
>> specify a
>> keyAlias).
>>
>> The two error message I am getting when attempting to start Tomcat are 
>> (see further below):
>>
>> 1/with keyAlias directive:
>> INFO: Starting Coyote HTTP/1.1 on myhostname%2F10.10.11.32-6510
>> Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol
>> start
>> SEVERE: Error starting endpoint
>> java.io.IOException: Alias name tomcat does not identify a key entry
>> at 
>> org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:143)
>>
>> 2/without keyAlias directive:
>> java.net.SocketException: SSL handshake
>> errorjavax.net.ssl.SSLException: No available certificate or key 
>> corresponds to the SSL cipher suites which are enabled.
>> at 
>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:113)
>>
>> Any more ideas? Is the problem maybe caused because I am creating a new 
>> keystore and the key of the Verisign-signed
>> certificate is in a separate file (my colleague deleted the original 
>> keystore file)? Are we screwed now?
>>
>> Thank you. Any input is greatly appreciated.
>>
>> Bye,
>> Werner.
>>
>> ----- Original Message ----- From: "Filip Hanik - Dev Lists" 
>> <devlists@hanik.com>
>> To: "Tomcat Users List" <users@tomcat.apache.org>
>> Sent: Wednesday, August 29, 2007 10:32 PM
>> Subject: Re: Problems with SSL-enabled Tomcat 5.5
>>
>>
>>> did you set
>>> keyAlias="root" in server.xml
>>>
>>> Werner Schalk wrote:
>>>> Hello,
>>>>
>>>> I am trying to setup a SSL-enabled Tomcat 5.5.? (5.5.20 I think) on a 
>>>> Sun Solaris 10 (Sparc) but it turns out that this appears not to be an 
>>>> easy task.
>>>> Hopefully you guys can shed some light on this. Basically I do have a 
>>>> Verisign-signed SSL certificate which I would like to add to my
>>>> existing Tomcat config. Now after spending hours of tweaking the 
>>>> config, I do face two problems: Either Tomcat is unable to find
>>>> my alias in the keystore file or there appears to be a problem with the 
>>>> SSL ciphers or certificate itself. Hopefully somebody knows what to do, 
>>>> this
>>>> is giving me a headache for many hours now.
>>>>
>>>> Here is what I did (steps taken from 
>>>> http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html, "Importing the 
>>>> Certificate"), please
>>>> note that I removed IPs, hostnames etc. to protect the innocent:
>>>>
>>>> 1) Import of the Verisign root cert into my keystore:
>>>>
>>>> $ keytool -import -alias root -keystore wstest -trustcacerts -file 
>>>> verisign.crt
>>>> Enter keystore password:  XXX
>>>> Owner: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 
>>>> VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign, 
>>>> Inc.", O=VeriSign Trust Network
>>>>
>>>> [ ... ]
>>>>
>>>> Certificate was added to keystore
>>>>
>>>> 2) Import of my Verisign-signed SSL certificate:
>>>>
>>>> $ keytool -import -alias tomcat -keystore wstest -trustcacerts -file 
>>>> mysystem.crt
>>>> Enter keystore password:  XXX
>>>>
>>>> [ ... ]
>>>>
>>>> Certificate was added to keystore
>>>>
>>>> 3) Change of my Tomcat configuration in server.xml to use the new 
>>>> keystore and SSL cert:
>>>>
>>>> <Connector port="8443" maxHttpHeaderSize="16384"
>>>>               address="myhostname" enableLookups="false"
>>>>               disableUploadTimeout="true" acceptCount="100" 
>>>> maxKeepAliveRequests="100"
>>>>               scheme="https" secure="true" clientAuth="false"
>>>>               compression="8192"
>>>>               compressableMimeType="text/javascript,text/css"
>>>>               keystoreFile="/usr/local/tomcat/conf/wstest"
>>>>               keystorePass="XXX" sslProtocol="TLS" keyAlias="tomcat"
>>>> />
>>>>
>>>> 4) Restart of Tomcat and review of Tomcat log file:
>>>>
>>>> # svcadm disable tomcat
>>>> # rm ../logs/catalina.out
>>>> # svcadm enable tomcat
>>>> # tail -f ../logs/catalina.out
>>>>
>>>> [...]
>>>>
>>>> INFO: Deploying web application archive help.war
>>>> Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol 
>>>> start
>>>> INFO: Starting Coyote HTTP/1.1 on myhostname%2F10.10.11.32-6510
>>>> Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol 
>>>> start
>>>> SEVERE: Error starting endpoint
>>>> java.io.IOException: Alias name tomcat does not identify a key entry
>>>>        at 
>>>> org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:143)
>>>>        at 
>>>> org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:109)
>>>>        at 
>>>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:98)
>>>>        at 
>>>> org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:294)
>>>>        at 
>>>> org.apache.tomcat.util.net.PoolTcpEndpoint.startEndpoint(PoolTcpEndpoint.java:312)
>>>>        at 
>>>> org.apache.coyote.http11.Http11BaseProtocol.start(Http11BaseProtocol.java:150)
>>>>        at 
>>>> org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:75)
>>>>        at 
>>>> org.apache.catalina.connector.Connector.start(Connector.java:1089)
>>>>        at 
>>>> org.apache.catalina.core.StandardService.start(StandardService.java:459)
>>>>        at 
>>>> org.apache.catalina.core.StandardServer.start(StandardServer.java:709)
>>>>        at org.apache.catalina.startup.Catalina.start(Catalina.java:551)
>>>>        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>>        at 
>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>>>>        at 
>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>>>        at java.lang.reflect.Method.invoke(Method.java:585)
>>>>        at 
>>>> org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:294)
>>>>        at 
>>>> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)
>>>>
>>>> However my keystore DOES contain my two keys (Verisign's key as well as 
>>>> my SSL cert):
>>>>
>>>> # keytool -list --keystore wstest -v
>>>> Enter keystore password:  XXX
>>>>
>>>> Keystore type: jks
>>>> Keystore provider: SUN
>>>>
>>>> Your keystore contains 2 entries
>>>>
>>>> Alias name: root
>>>> Creation date: Aug 29, 2007
>>>> Entry type: trustedCertEntry
>>>>
>>>> Owner: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 
>>>> VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign, 
>>>> Inc.", O=VeriSign Trust Network
>>>>
>>>> [...]
>>>>
>>>> *******************************************
>>>> *******************************************
>>>>
>>>> Alias name: tomcat
>>>> Creation date: Aug 29, 2007
>>>> Entry type: trustedCertEntry
>>>>
>>>> Owner: CN=myhostname, ...
>>>>
>>>> [...]
>>>>
>>>> *******************************************
>>>> *******************************************
>>>>
>>>> Here is the first problem: Why does my alias "tomcat" not identify a 
>>>> key entry in the keystore? It does exist, doesn't it?
>>>>
>>>> 5) Now to get around this problem, I removed the "keyAlias" directive 
>>>> from the Tomcat config which now like like this:
>>>>
>>>> <Connector port="8443" maxHttpHeaderSize="16384"
>>>>               address="myhostname" enableLookups="false"
>>>>               disableUploadTimeout="true" acceptCount="100" 
>>>> maxKeepAliveRequests="100"
>>>>               scheme="https" secure="true" clientAuth="false"
>>>>               compression="8192"
>>>>               compressableMimeType="text/javascript,text/css"
>>>>               keystoreFile="/usr/local/tomcat/conf/wstest"
>>>>               keystorePass="XXX" sslProtocol="TLS"
>>>> />
>>>>
>>>> 6) Then I restarted Tomcat and here is what I get in the logs:
>>>>
>>>> # svcadm disable tomcat
>>>> # rm ../logs/catalina.out
>>>> # svcadm enable tomcat
>>>> # tail -f ../logs/catalina.out
>>>>
>>>> [...]
>>>>
>>>> java.net.SocketException: SSL handshake 
>>>> errorjavax.net.ssl.SSLException: No available certificate or key 
>>>> corresponds to the SSL cipher suites which are enabled.
>>>>
>>>>        at 
>>>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:113)
>>>>        at 
>>>> org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java:407)
>>>>        at 
>>>> org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:70)
>>>>        at 
>>>> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
>>>>        at java.lang.Thread.run(Thread.java:595)
>>>> Aug 29, 2007 12:47:28 PM org.apache.tomcat.util.net.PoolTcpEndpoint 
>>>> acceptSocket
>>>> WARNING: Reinitializing ServerSocket
>>>>
>>>> Another problem. Any ideas?
>>>>
>>>> 7) Then I tried to change the sslProtocol to SSL (rather than TLS) but 
>>>> that didn't change anything. The file permissions of the certs are 
>>>> okay,
>>>> they are all world-readable.
>>>>
>>>> So guys any ideas on how to solve this? Has anyone ever encountered 
>>>> this problem? I searched on Google but I really was unable to
>>>> find a proper solution.
>>>>
>>>> Any input is greatly appreciated. Thank you very much.
>>>>
>>>> Best regards,
>>>> Werner.
>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To start a new topic, e-mail: users@tomcat.apache.org
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org 


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message